Re: HA Proxy not distributing the load

Am 20-02-2017 16:32, schrieb Khaleel.Shaik: HA-Proxy version 1.6.3 2015/12/25 letest is 1.6.11 any idea when you are able to update? no clients are used. ? Who connects to the LB/haproxy/JBoss Setup ? If "no clients" why to you need this setup ;-) What is your definition

Re: HA Proxy not distributing the load

HA-Proxy version 1.6.3 2015/12/25 no clients are used. accessing the HAproxy as Frontend through Load balancing ip and connecting jboss as backend. On Mon, Feb 20, 2017 at 3:05 PM, Aleksandar Lazic <al-hapr...@none.at> wrote: > Hi. > > Am 20-02-2017 09:55, schrieb Khaleel.S

Re: HA Proxy not distributing the load

Hi. Am 20-02-2017 09:55, schrieb Khaleel.Shaik: My HA Proxyconfiguration attached, which not distributing the load to all the appservers. Could you please help me What's your haproxy version? output of haproxy -vv Which clients are used? In case of browsers try to remove the cookie line

HA Proxy not distributing the load

My HA Proxyconfiguration attached, which not distributing the load to all the appservers. Could you please help me haproxy.cnf Description: Binary data

Re: Return codes from proxy

hare the exact curl command if it helps you (and as long as the contents stay between us). Logs from proxy are directly below: I'm not talking about the request from the client to haproxy but from haproxy to the application server. In your apache configuration, you have Proxy

Re: Return codes from proxy

are in the thread way down below. I can share the exact curl command if it helps you (and as long as the contents stay between us). Logs from proxy are directly below: I'm not talking about the request from the client to haproxy but from haproxy to the application server. In your apac

Re: Return codes from proxy

sales..net:80 check Both return a 200 status code. I wanted to note that I am also being forced to terminate SSL at the HAProxy level and in Apache HTTP, this is not happening. If I do not terminate SSL at proxy, I receive a 504. I would definitely prefer NOT to terminate SSL at the proxy

Re: Return codes from proxy

server & HAProxy server. The details for the HAProxy curl are in the thread way down below. I can share the exact curl command if it helps you (and as long as the contents stay between us). Logs from proxy are directly below: I'm not talking about the request from the client to haproxy but fr

Re: Return codes from proxy

rver. The details for the HAProxy curl are in the thread way down below. I can share the exact curl command if it helps you (and as long as the contents stay between us). Logs from proxy are directly below: I'm not talking about the request from the client to haproxy but from haproxy to the applica

Re: Return codes from proxy

This information may also help: haproxy -vv HA-Proxy version 1.6.11 2016/12/25 Copyright 2000-2016 Willy Tarreau <wi...@haproxy.org> Build options : TARGET = linux2628 CPU = native CC = gcc CFLAGS = -O2 -march=native -g -fno-strict-aliasing -Wdeclaration-after-sta

Re: Return codes from proxy

way down below. I can share the exact curl command if it helps you (and as long as the contents stay between us). Logs from proxy are directly below: Feb 14 22:52:06 localhost haproxy[22304]: Proxy globalstats started. Feb 14 22:52:06 localhost haproxy[22304]: Proxy www-http started. Feb 14 22:5

Re: Return codes from proxy

On 2/14/17, 1:58 PM, "Cyril Bonté" <cyril.bo...@free.fr> wrote: Hi Rob, Le 14/02/2017 à 20:23, Birdwell, Rob a écrit : > Hello, > > I was curious if someone would be able to assist with return codes from HAProxy. Currently, we are able to receive

Re: Return codes from proxy

2/2017 à 20:23, Birdwell, Rob a écrit : > Hello, > > I was curious if someone would be able to assist with return codes from HAProxy. Currently, we are able to receive a 201 for a reverse proxy solution from Apache HTTP, but when utilzing HAProxy, only a 200 is received uti

Re: Return codes from proxy

Hi Rob, Le 14/02/2017 à 20:23, Birdwell, Rob a écrit : Hello, I was curious if someone would be able to assist with return codes from HAProxy. Currently, we are able to receive a 201 for a reverse proxy solution from Apache HTTP, but when utilzing HAProxy, only a 200 is received utilizing

Return codes from proxy

Hello, I was curious if someone would be able to assist with return codes from HAProxy. Currently, we are able to receive a 201 for a reverse proxy solution from Apache HTTP, but when utilzing HAProxy, only a 200 is received utilizing an identical cURL command. The current HAProxy/Apache

Re: What version of ha-proxy supports init-addr?

Hi, Le 20/01/2017 à 21:30, Rinaldo DiGiorgio a écrit : Hi, I see many comment son the web about how it was added in 1.7 but I unable to find init-addr in 1.7, 1.7.1 or 1.72. I do find a description in 1.8. Is it available in 1.7.2 but not documented? You probably missed it ;-)

What version of ha-proxy supports init-addr?

Hi, I see many comment son the web about how it was added in 1.7 but I unable to find init-addr in 1.7, 1.7.1 or 1.72. I do find a description in 1.8. Is it available in 1.7.2 but not documented? Rinaldo

Re: Reverse proxy settings

Title: Re: Reverse proxy settings Bonjour Aaron, I have modified  it, now I do  have: This is  now working :) Thx a lot ... Le vendredi 13 janvier 2017 à 20:18:13, vous écriviez : Hi Thierry, You need to add "ssl" to the server line, probably "ssl verify none&quo

Re: Reverse proxy settings

Hi Thierry, You need to add "ssl" to the server line, probably "ssl verify none" if you don't need it to check validity of the backend cert. So : backend https-in mode http option httplog option forwardfor http-request set-header X-Forwarded-Port %[dst_port]

Reverse proxy settings

Hi, Still me working around ... The main target is to send HTTPS request through my web server using the HAproxy as frontend. My web server only accept HTTPS (443) requests. My HAproxy config: Web Server Config frontend https-in mode http bind :443 ssl crt

Re: HAproxy / Reverse proxy Debian

Title: Re: HAproxy / Reverse proxy Debian Bonjour Daniel, From my first post, you can see the config with ssl. To switch to TCP mode, I have removed: - All ciphers - In defaults, I have switch from "mode http" to "mode tcp" - In frontend email-https, I have remove "

Re: HAproxy / Reverse proxy Debian

, > Michael Rosbach, Handelsregister-Nr.: HRB 18655, > HR-Gericht: Bonn, USt-IdNr.: DE-815299431 > > > > On 12. Jan. 2017, at 14:14, Thierry <lenai...@maelenn.org > <mailto:lenai...@maelenn.org>> wrote: > > Re: HAproxy / Reverse proxy Debian > Bonjour D

Re: HAproxy / Reverse proxy Debian

Title: Re: HAproxy / Reverse proxy Debian Bonjour Daniel, I am not sure to understand. I am using iRedMail as email server. This email server do have ssl/TLS activated. ** listen 888 http2;        ssl on;    ssl_certificate /etc/ssl/certs/cert.chained.crt;    ssl_certificate_key /etc

Re: HAproxy / Reverse proxy Debian

Sounds as if you have nginx set up for TLS termination, too. This does not make sense, because haproxy will already have decrypted the traffic. Make sure nginx does not expect https on what in your config would be ip_email_server:888. -- Daniel Schneller Principal Cloud Engineer

Re: HAproxy / Reverse proxy Debian

Title: Re: HAproxy / Reverse proxy Debian Bonjour Daniel, I have resolved my problem, HAproxy do start now (ssl ok). But when trying to reach my email server, I now do have a: 400 Bad gateway - The plain HTTP request was sent to HTTPS port - Nginx It should not be the case because 'reqadd x

Re: HAproxy / Reverse proxy Debian

Re-adding the list. And: > Do I have to "cat file.key file.crt file.pem > certi.chained.crt" ?? Yes. Though I am not sure what file.crt and file.pem are :) Cheers, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11

Re: HAproxy / Reverse proxy Debian

Thierry, always helps to know the haproxy version you use. As for your error message, do you have private key, your site’s certificate and all necessary chain certificates in the crt files you reference in your config? IIRC they need to be in the order 1. key 2. site cert (“leaf”) 3.

HAproxy / Reverse proxy Debian

if !{ ssl_fc } server hostname ip_web_server:443 The main plan is to forward all HTTPS (port:443) requests to my web server and all HTTPS(port:888) to my email server. Do you see any mistake in my config ? Logs from HAproxy: haproxy[15953]: [ALERT] 011/101209 (15953) : Proxy 'email-https

Re: http reuse and proxy protocol

Le 03/01/2017 à 18:18, Lukas Tribus a écrit : Hi Arnall, Am 03.01.2017 um 16:15 schrieb Arnall: Is it possible that with "http-reuse always" the yyy.yyy.yyy.yyy request has used the xxx.xxx.xxx.xxx connection between https and http frontend with proxy protocol forwarding xxx.x

Re: http reuse and proxy protocol

On Tue, Jan 03, 2017 at 06:18:23PM +0100, Lukas Tribus wrote: > Hi Arnall, > > > Am 03.01.2017 um 16:15 schrieb Arnall: > > > > Is it possible that with "http-reuse always" the yyy.yyy.yyy.yyy request > > has used > > the xxx.xxx.xxx.xxx connect

Re: http reuse and proxy protocol

Hi Arnall, Am 03.01.2017 um 16:15 schrieb Arnall: Is it possible that with "http-reuse always" the yyy.yyy.yyy.yyy request has used the xxx.xxx.xxx.xxx connection between https and http frontend with proxy protocol forwarding xxx.xxx.xxx.xxx instead of yyy.yyy.yyy.yyy ? Yes, t

http reuse and proxy protocol

ver web_plain u...@plain.sock send-proxy-v2-ssl frontend web_plain bind*:80 process 1 bind u...@plain.sock process 1 accept-proxy I have forgotten that in default section i had this : http-reuse always Today a user tells us that he had access for one moment to debug tools of the site. De

Re: ssl offloading and send-proxy-v2-ssl

s 3 ../.. server web_plain u...@plain.sock send-proxy-v2-ssl frontend web_plain bind*:80 process 1 bind u...@plain.sock process 1 accept-proxy ../.. And i'm looking for a secure solution in the web_plain frontend to know if the request come from web_tls or not ( in fact i want to k

Re: ssl offloading and send-proxy-v2-ssl

Hi, thanks for your answer, didn't know the src_is_local feature as it's a 1.7 feature, we're still in 1.6. the dst_port seems ok to me, will use it ! Happy new year ! Le 27/12/2016 à 08:29, Elias Abacioglu a écrit : Sorry just realized, src_is_local won't work when using proxy protocol

Re: ssl offloading and send-proxy-v2-ssl

Hi Patrick, On Mon, Dec 26, 2016 at 11:35:51PM +, Patrick Hemmer wrote: > On 2016/12/23 09:28, Arnall wrote: > > I though that send-proxy-v2-ssl could help but i have no idea how ... > > src and src_port are OK with the proxy protocol but ssl_fc in > > web_plain keeps

Re: ssl offloading and send-proxy-v2-ssl

Sorry just realized, src_is_local won't work when using proxy protocol. Proxy protocol will preserve initial source information. You can probably use dst_port like this instead: acl secure dst_port 443 if is secure On Mon, Dec 26, 2016 at 11:09 PM, Elias Abacioglu < elias.aba

Re: ssl offloading and send-proxy-v2-ssl

erver web_plain u...@plain.sock send-proxy-v2-ssl > > frontend web_plain > bind*:80 process 1 > bind u...@plain.sock process 1 accept-proxy > > ../.. > > And i'm looking for a secure solution in the web_plain frontend to > know if the request come f

Re: ssl offloading and send-proxy-v2-ssl

ng a nbproc > 1 configuration for ssl offloading : > > listen web_tls > mode http > bind *:443 ssl crt whatever.pem process 2 > bind *:443 ssl crt whatever.pem process 3 > > ../.. > server web_plain u...@plain.sock send-proxy-v2-ssl > > frontend web_pla

ssl offloading and send-proxy-v2-ssl

Hi everyone, i'm using a nbproc > 1 configuration for ssl offloading : listen web_tls mode http bind *:443 ssl crt whatever.pem process 2 bind *:443 ssl crt whatever.pem process 3 ../.. server web_plain u...@plain.sock send-proxy-v2-ssl frontend web_plain bind*

Status code -1 with HA-Proxy version 1.5.15

Hi All, I'm seeing the 'status code' as -1 in haproxy logs, whereas the documentation specifies: "The status code is always 3-digit." I do see the 'normal' result codes, but I also see a lot of -1's. Any idea what causes this? -Alex

Re: Problem with http-request set-src and send-proxy on 1.6

2016-11-18 14:27 GMT+01:00 Janusz Dziemidowicz <rrapt...@nails.eu.org>: > listen default > bind : > http-request set-src req.hdr_ip(X-Forwarded-For) > server localhost 127.0.0.1:80 send-proxy Sorry, there are obviously two binds there: bind : bind :

Problem with http-request set-src and send-proxy on 1.6

Hello, I think I've found a problem how http-request set-src interacts with PROXY protocol on backend servers. Very simple setup: listen default bind : http-request set-src req.hdr_ip(X-Forwarded-For) server localhost 127.0.0.1:80 send-proxy wget -4 --header='X-Forwarded-For: 192.0.2.1

Re: [PATCH 1/8] MINOR: tcp: Store upstream proxy TCP informations before overwrite

Hi Bertrand, On Mon, Nov 14, 2016 at 08:49:28AM +0100, Willy Tarreau wrote: > I'll pick your fixes from the patchset though ;-) OK, patches 4 to 8 applied, and 1-3 kept for later, thanks! Willy

Re: [PATCH 1/8] MINOR: tcp: Store upstream proxy TCP informations before overwrite

appens. Or more easily I may be able to replace > the struct proxy_addr with a pointer to a struct proxy_addr that would > be initialized only of one of the proxy protocol is in use. Well in this case I'd prefer that we postpone it after the release and that we try to improve the overall

Re: [PATCH 1/8] MINOR: tcp: Store upstream proxy TCP informations before overwrite

On Sun, Nov 13, 2016 at 07:48:46PM +0100, Willy Tarreau wrote: > Hi Bertrand, > > On Sun, Nov 13, 2016 at 04:37:07PM +, Bertrand Jacquin wrote: > > This can be useful in order to extend ACL and log format with upstream > > proxy information when accept-proxy or accept-n

Re: [PATCH 1/8] MINOR: tcp: Store upstream proxy TCP informations before overwrite

Hi Bertrand, On Sun, Nov 13, 2016 at 04:37:07PM +, Bertrand Jacquin wrote: > This can be useful in order to extend ACL and log format with upstream > proxy information when accept-proxy or accept-netscaler-cip is being > used Thanks for these patches! Well, I understand th

[PATCH 3/8] MINOR: log: Add upstream proxy keyword

When accept-proxy or accept-netscaler-cip are being used, this gives the ability to log upstream proxy source IP and port. --- doc/configuration.txt | 4 include/types/log.h | 4 src/log.c | 66 +++ 3 files changed, 74

[PATCH 2/8] MINOR: tcp: Add upstream proxy information fetch

When accept-proxy or accept-netscaler-cip are being used, this gives the ability to perform action based on the TCP connections between upstream proxy and haproxy instead of the connection between the client and the upstream proxy. --- doc/configuration.txt | 28 src/proto_tcp.c

[PATCH 1/8] MINOR: tcp: Store upstream proxy TCP informations before overwrite

This can be useful in order to extend ACL and log format with upstream proxy information when accept-proxy or accept-netscaler-cip is being used --- include/proto/connection.h | 32 include/types/connection.h | 9 - src/connection.c | 42

Re: S FTP + HA PROXY confutation facing one serious issue.

On Wed, Oct 26, 2016 at 8:04 AM, mal reddy <malreddyt...@gmail.com> wrote: > Hi Ha proxy Team, > > Any updates. > You appear to be attempting to do something that isn't possible, for reasons that are related to the protocol design of SSH/SFTP.​ > I checked HA-Pro

Re: S FTP + HA PROXY confutation facing one serious issue.

Hi Ha proxy Team, Any updates. *MyObjective*:Client upload file via HaProxy and it will upload in sftp servers *example*: expected this type of configuration in Ha Proxy a.kk.com 192.168.0.1(sftp 1 server ip) b.kk.com

[PATCH 1/4] MINOR: proxy: add 'served' field to proxy, equal to total of all servers'

This will allow lb_chash to determine the total active sessions for a proxy without any computation. Signed-off-by: Andrew Rodland <andr...@vimeo.com> --- include/types/proxy.h | 1 + src/queue.c | 1 + src/stream.c | 2 ++ 3 files changed, 4 insertions(+) diff

Re: Detection of PROXY protocol version and Citrix CIP

Hi Hugo, I'm CCing Bertrand who implemented the netscaler CIP protocol. On Mon, Oct 17, 2016 at 01:36:40PM -0700, Hugo Slabbert wrote: > The PROXY protocol spec specifically indicates that a receiver should not > try to guess whether or not a PROXY protocol header is pre

Fwd: S FTP + HA PROXY confutation facing one serious issue.

Hello HaProxy Team, *MyObjective*:Client upload file via HaProxy and it will upload in sftp servers *example*: expected this type of configuration in Ha Proxy a.kk.com 192.168.0.1(sftp 1 server ip) b.kk.com 192.168.0.2(sftp

S FTP + HA PROXY confutation facing one serious issue.

Hello HaProxy Team, *MyObjective*:Client upload file via HaProxy and it will upload in sftp servers *example*: expected this type of configuration in Ha Proxy a.kk.com 192.168.0.1(sftp 1 server ip) b.kk.com 192.168.0.2(sftp

Detection of PROXY protocol version and Citrix CIP

The PROXY protocol spec specifically indicates that a receiver should not try to guess whether or not a PROXY protocol header is present[1]: The receiver MUST be configured to only receive the protocol described in this specification and MUST not try to guess whether the protocol header

Re: Sharing SSL information via PROXY protocol or HAProxy internally

Hi, For this specific case of http to https redirect I use the X-Forwarded-Proto header. In the ssl frontend I do this: http-request set-header X-Forwarded-Proto https and in the plain http frontend I do this: http-request redirect scheme https if !{ req.hdr(X-Forwarded-Proto) https } The

Re: Sharing SSL information via PROXY protocol or HAProxy internally

I too am interested in this functionality. Looking at the proxy protocol documentation (http://www.haproxy.org/download/1.6/doc/proxy-protocol.txt), it seems that the requisite information is present in the PP2 header: " The PP2_CLIENT_SSL flag indicates that the client connected over SS

transparent or intercepting proxy with https

i am trying to setup a transparent or intercepting proxy, that works with HTTPS, and have hit a bit of a wall. i am using IPTables to intercept the port 80 and 443 traffic, and DNAT'ing the traffic to a HAProxy VIP. i have the front end configured as such: frontend tproxy bind

Re: Need help to configure ha proxy

the inservice. Regard's Harish Chander 8529142143 * From: Jeff Palmer <j...@palmerit.net> Sent: Tuesday, August 30, 2016 7:05 PM To: Harish Chander Cc: haproxy@formilux.org Subject: Re: Need help to configure ha proxy This config appears to be a decent

Re: Need help to configure ha proxy

* From: Jeff Palmer <j...@palmerit.net> Sent: Tuesday, August 30, 2016 7:05 PM To: Harish Chander Cc: haproxy@formilux.org Subject: Re: Need help to configure ha proxy This config appears to be a decent start. and looks to meet your requirements for http. Now you jus

Re: Need help to configure ha proxy

<harish.chan...@hotmail.com> wrote: > Hi, > > > I shall be really thankful you if you help in configure haproxy or its > possible or not. > > > External ELB - In external AWS ELB i have 2 Ha proxy server > > > HA Proxy > > connect > > haproxy > b

Re: [PATCH] [RFC]/MINOR: connection: Add server name to proxy protocol v2 header.

On 11/08/2016 10:05 p.m., Erik Seres wrote: > Hi Amos, > > Thanks for the answers. After a bit of a delay, I’m getting back to > implementing this. However, I still have a couple of questions in line > below... > > Thanks, > Erik > > >> On 2016 Jun 1, at 08:44, Amos Jeffries wrote: >> >> On

Re: [PATCH] [RFC]/MINOR: connection: Add server name to proxy protocol v2 header.

Hi Amos, Thanks for the answers. After a bit of a delay, I’m getting back to implementing this. However, I still have a couple of questions in line below... Thanks, Erik > On 2016 Jun 1, at 08:44, Amos Jeffries wrote: > > On 30/05/2016 11:03 p.m., Erik Seres wrote: >>

haproxy as partly forward proxy

Hi all. What do you think about this idea / statement. Due to the fact that HAProxy have now dns resolution and the possibility to use lua scripting is it possible to use haproxy as forward proxy? Yes I know this is a "crazy" idea but hey why not ;-) Opinions? Cheers Aleks

[Cohesive Networks] Listing "HA Proxy" published

Hooray! Your listing "HA Proxy" is now available at http://cohesive-networks.com/directory/ha-proxy/ and can be viewed by the public. Want to make edits or updates? You should be able to log in and "submit changes." Don't forget to add your contact information so custo

[Cohesive Networks] HA Proxy - Expiration notice

Your listing "HA Proxy" in category VNS3 Plug-in System Partners expired on June 10, 2016. To renew your listing click the link below. http://cohesive-networks.com/directory?action="">

[Cohesive Networks] HA Proxy - Expiration notice

Your listing "HA Proxy" is about to expire at Cohesive Networks. You can renew it here: http://cohesive-networks.com/directory?action="">.

Re: [PATCH] [RFC]/MINOR: connection: Add server name to proxy protocol v2 header.

On 30/05/2016 11:03 p.m., Erik Seres wrote: > Hi Willy and Amos, > > I think I am confused by what information is expected to go into the > PP2_TYPE_AUTHORITY field and how it would be a suitable substitute > for what SNI represents. PP2 is generic and needs to relay multiple protocols.

Re: [PATCH] [RFC]/MINOR: connection: Add server name to proxy protocol v2 header.

h I have not taken the final step of using it as a >> substitute for SNI (was just about to start that actually - good timing). > > Ah thanks, I always forget that it is supposed to be equivalent to the SNI. > I searched quite a bit because I remembered it was supposed t

Re: [PATCH] [RFC]/MINOR: connection: Add server name to proxy protocol v2 header.

. Though I have not taken the final step of using it as a > substitute for SNI (was just about to start that actually - good timing). Ah thanks, I always forget that it is supposed to be equivalent to the SNI. I searched quite a bit because I remembered it was supposed to be there but couldn't fin

Re: [PATCH] [RFC]/MINOR: connection: Add server name to proxy protocol v2 header.

egister > new IDs... PP2_TYPE_AUTHORITY as 0x02 is already mentioned in your 1.5 and 1.6 PP documents. Though I have not taken the final step of using it as a substitute for SNI (was just about to start that actually - good timing). AFAICT you have a good pattern started already and documented in

Re: [PATCH] [RFC]/MINOR: connection: Add server name to proxy protocol v2 header.

.com> Date: Thu, 12 May 2016 11:05:14 +0200 Subject: [PATCH] [RFC]/MINOR: connection: Add server name to proxy protocol v2 header. If the client provides the server name it intends to connect to, per RFC3546, Section 3.1. Server Name Indication, this patch will pass the server name onto

Re: [PATCH] [RFC]/MINOR: connection: Add server name to proxy protocol v2 header.

ame it intends to connect to, per RFC3546, > Section 3.1. Server Name Indication, this patch will pass the server name > onto the backend server as part of the proxy protocol v2 header. > > The patch defines the new SSL subtype PP2_TYPE_SSL_SNI and the corresponding > flag PP2_CLIENT

Re: [PATCH] [RFC]/MINOR: connection: Add server name to proxy protocol v2 header.

r as part of the proxy protocol v2 header. > > The patch defines the new SSL subtype PP2_TYPE_SSL_SNI and the corresponding > flag PP2_CLIENT_SNI to accomplish this in an additional TLV. > > Please review. I think this is OK technically speaking. And it's something we've indeed been missi

[PATCH] [RFC]/MINOR: connection: Add server name to proxy protocol v2 header.

If the client provides the server name it intends to connect to, per RFC3546, Section 3.1. Server Name Indication, this patch will pass the server name onto the backend server as part of the proxy protocol v2 header. The patch defines the new SSL subtype PP2_TYPE_SSL_SNI and the corresponding

HA Proxy - Dummy Frontend redirection

Hi, Is the following configuration viable and a workable solution? Or am I going to run into some cookie/session persistent issues? The idea behind this is so I can separate all my services into different frontend and just having a cleaner configuration of settings to use. Is the

Re: AWS ELB with SSL backend adds proxy protocol inside SSL stream

Hello, On 10 May 2016 at 14:23, Jonathan Matthews wrote: > On 5 May 2016 at 12:11, Hector Rivas Gandara > wrote: >> * If not, is there a better way to 'chain' the config as I did above. > Take a look at the "abns@"

Re: AWS ELB with SSL backend adds proxy protocol inside SSL stream

Hello Hector - On 5 May 2016 at 12:11, Hector Rivas Gandara wrote: > * If not, is there a better way to 'chain' the config as I did above. I don't have any insight into the protocol layering problem you're having, I'm afraid, but if you do

Re: AWS ELB with SSL backend adds proxy protocol inside SSL stream

On 5 May 2016 at 23:27, Igor Cicimov wrote: > > > On 5 May 2016 10:39 pm, "Hector Rivas Gandara" > wrote: > > > https://jve.linuxwall.info/ressources/taf/haproxy-aws/ > > Thank you for your answer, but this

Re: AWS ELB with SSL backend adds proxy protocol inside SSL stream

Hi, > https://jve.linuxwall.info/ressources/taf/haproxy-aws/ Thank you for your answer, but this article describes a configuration where the ELB is setup in plain TCP mode (no SSL), so it does not do reencryption but passes the stream to

Re: AWS ELB with SSL backend adds proxy protocol inside SSL stream

because so only restricted people has access to the end >user certs) > * ELB connects to HAproxy backend using SSL (also requirement) > * ELB sends proxy headers as described in http://amzn.to/1YajEG3 > > * HAproxy listens SSL in 443 > * HAProxy is used for doing some

AWS ELB with SSL backend adds proxy protocol inside SSL stream

Hello, we are trying to configure this architecture: * ELB terminating SSL, using preconfigured certificates. (this is a requirement because so only restricted people has access to the end user certs) * ELB connects to HAproxy backend using SSL (also requirement) * ELB sends proxy

Server Name Indication in Proxy Protocol line

Hello, I am looking to define and add a new TLV to the Proxy Protocol line to pass the intended server name (RFC3546 3.1.) to the backend servers. I would like to implement this functionality and “register” a new “PP2_TYPE_SNI” for it. Is there any work currently being done to add

agent-check sends PROXY protocol

It appears that if a server is configured to send the PROXY protocol *and* the server does not have a `check port` set, the agent check will always send the PROXY protocol. This doesn't seem to be documented anywhere, and it's kind of strange (especially since non-agent checks have the check-send

Re: Sharing SSL information via PROXY protocol or HAProxy internally

Hi Dennis, On 2016-04-16 02:13, Dennis Jacobfeuerborn wrote: On 15.04.2016 16:01, Christian Ruppert wrote: Hi, would it be possible to inherit the SSL information from a SSL listener/frontend via PROXY protocol? So for example: listen ssl-relay mode tcp ... server rsa unix@/var

Re: Sharing SSL information via PROXY protocol or HAProxy internally

On 15.04.2016 16:01, Christian Ruppert wrote: > Hi, > > would it be possible to inherit the SSL information from a SSL > listener/frontend via PROXY protocol? > So for example: > > listen ssl-relay > mode tcp > > ... > > server rsa unix@/var/ru

Sharing SSL information via PROXY protocol or HAProxy internally

Hi, would it be possible to inherit the SSL information from a SSL listener/frontend via PROXY protocol? So for example: listen ssl-relay mode tcp ... server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2 listen ssl-rsa_ecc mode tcp ... bind unix@/var/run

Re: Transparent proxy that doesn't destroy your default gateway

On Wed, Apr 6, 2016 at 11:34 PM, Lukas Erlacher wrote: > Addendum: > > On the load balancer, > > iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT > > will match *all* packets (for example the packets of your SSH connection, > since there is undoubtedly a socket for

Re: send-proxy behavior when the client closes the connection prematurely

On Wed, Apr 6, 2016 at 9:53 AM, Willy Tarreau wrote: [...] > So this means that in TCP mode we're aware of the abort earlier than in > HTTP mode. Thus we theorically have everything needed to decide not to > connect if possible. > /me nods, it appears so. > This one will result in

Re: send-proxy behavior when the client closes the connection prematurely

Hi Frederik, On Wed, Apr 06, 2016 at 08:49:09AM -0700, Frederik Deweerdt wrote: > > > Mmm, adding "option abortonclose" does work in "mode http", but not in > > > "mode tcp", which I've been using. > > > > Why are you saying this ? > > That's what I'm seeing in my tests, with ssl_sock_to_buf

Re: send-proxy behavior when the client closes the connection prematurely

Hello Willy, On Sun, Apr 3, 2016 at 11:15 PM, Willy Tarreau wrote: > On Thu, Mar 31, 2016 at 12:37:03PM -0700, Frederik Deweerdt wrote: > > >> It seems that we would be a bit more efficient if we also aborted when > > >> si_b->state was SI_ST_INI: that is, don't even try to open a

Re: Transparent proxy that doesn't destroy your default gateway

Addendum: On the load balancer, iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT will match *all* packets (for example the packets of your SSH connection, since there is undoubtedly a socket for those SSH packets), at least it does on my system; this is much nicer IMO: iptables -t

Re: send-proxy behavior when the client closes the connection prematurely

does close the connection there. Then you definitely need to enable the option :-) > > I'm thinking about two possibilities : > > - either we consider that if we can't retrieve a connection's address > > for a proxy protocol line we must fail and abort the conne

Re: send-proxy behavior when the client closes the connection prematurely

ration that boils down to: >> >> [SSL Traffic] ---> [HAProxy] ---[via send_proxy]--> [Proxy] >> >> We're seeing this with 1.5.12 but the latest git behaves in the same way >> (Patches are against lastest git). >> >> We have custom code in conn_si_sen

Re: send-proxy behavior when the client closes the connection prematurely

Hi Frederik, On Mon, Mar 28, 2016 at 02:31:27PM -0700, Frederik Deweerdt wrote: > Hi, > > I've been working on an issue we've been seeing on very high loads with > a configuration that boils down to: > > [SSL Traffic] ---> [HAProxy] ---[via send_proxy]--> [

send-proxy behavior when the client closes the connection prematurely

Hi, I've been working on an issue we've been seeing on very high loads with a configuration that boils down to: [SSL Traffic] ---> [HAProxy] ---[via send_proxy]--> [Proxy] We're seeing this with 1.5.12 but the latest git behaves in the same way (Patches are against lastest git). W

Re: METH_CONNECT, HTTPS forward proxy

; wrote: I see METH_CONNECT as a pre-defined acl, but much googling leaves me without a clue as to how to use it. I hope to have haproxy act as a forward proxy target for browsers using a proxy.pac file. I believe proxied traffic (both HTTP and HTTPS) usually goes to the same proxy port, with H

Re: METH_CONNECT, HTTPS forward proxy

tunnel > http://gc-taylor.com/blog/2011/11/10/nginx-aws-elb-name-resolution-resolvers > > On Tue, Mar 22, 2016 at 11:03 PM, Jim Freeman <sovr...@gmail.com> wrote: >> I see METH_CONNECT as a pre-defined acl, but much googling leaves me >> without a clue as to how to use it. >&g

Re: METH_CONNECT, HTTPS forward proxy

PM, Jim Freeman <sovr...@gmail.com> wrote: > I see METH_CONNECT as a pre-defined acl, but much googling leaves me > without a clue as to how to use it. > > I hope to have haproxy act as a forward proxy target for browsers > using a proxy.pac file. I believe proxied traffic (

<    1   2   3   4   5   6   7   8   9   10   >